This is part 3 of a four-part series on autonomous vehicle cybersecurity. Part 1 explains the autonomous vehicle software stack, part 2 reviews attack vectors, and this article addresses security gaps. Finally, part 4 explains why you need development and ongoing risk mitigation expertise.
Firmware infiltration has the potential to give hackers the highest level of access to all other components of an autonomous driving system, allowing them to do anything from overriding safety protocols to taking complete control. The consequences can be dire:
- Financial loss
- Injuries or death
- Brand and reputational damage
- Regulatory penalties and fines
- Legal liability and associated litigation costs
With such significant consequences at stake, autonomous vehicle (AV) companies must be prepared to identify and close autonomous vehicle security gaps. Here are some of the most common examples of autonomous vehicle security gaps AV teams should be aware of.
The Top 5 Autonomous Vehicle Security Gaps
With the emergence of fully autonomous systems (i.e., L4/L5), the potential damage from current attack surfaces is magnified. For example, instead of performing an innocuous prank, a bad actor could utilize a Wi-Fi hack as an entry point into the AV compute infrastructure and take over all vehicle operations with potentially catastrophic consequences. The best way to prevent this devasting scenario is to ensure the AV firmware is secure from outside attacks. Even if the Wi-Fi or other systems are compromised, that attack vector cannot be used to infiltrate more critical compute systems in the vehicle.
1. Tampering with ECUs
Electronic control units (ECUs) provide functional control for various sensors and actuators in vehicle subsystems. Modern vehicles have more than 100 ECUs, each with proprietary code, which previously protected them from attack. Now, malicious actors are targeting ECUs by reflashing them with custom firmware that alters the intended actions of the ECU. Attackers can modify the ECU memory and tamper with security keys while maintaining the integrity of the ECU firmware and updates. An attack like this can go undetected by using hashing techniques and authentication manipulation for updating.
2. Open OBD Ports
Onboard diagnostic (OBD) systems and ports are a part of almost every vehicle produced after 2008. This technology collects vehicle diagnostic data, providing insight into faults and performance. The OBD system interacts with ECUs by communication through the CAN bus. It uses a handheld device that connects to a PC through a wired connection or Bluetooth. Once connected, a PC can send and receive data to and from the vehicle ECUs. Unfortunately, this connection provides a potential exploitation opportunity in which the data packets can be manipulated or malicious data packets can be injected into the vehicle network.
3. Rogue Updates
Increased AV connectivity makes it possible for malicious actors to install rogue firmware updates on vehicles. Typically, rogue updates lead to cyberattacks in which the private data of the vehicle is exploited, allowing hackers to take control of the firmware and introduce malware. In addition, ransomware targeting autonomous cars is emerging, with a number of cases already reported.
4. Management Mode Manipulation
Processors provide a secure mode of operation, generally referred to as management mode (MM), that governs essential elements of a system. This is implemented as SMM on Intel architecture processors and TrustZone on Arm processors. Attackers may exploit a memory buffer overflow or use other approaches to inject malware and escalate their privileges to access and manipulate MM. This level of access to AV firmware grants an attacker complete control across all parts of a system, giving them free rein over the vehicle and the software that runs it. Unfortunately, this type of attack is difficult to detect because the malware running in MM has such high privileges that malicious actions go undetected by typical anti-malware software.
5. Supply Chain Attacks
Hackers can also mount a firmware attack at the supply chain level—for example, during vehicle manufacture. By exploiting gaps in security attestation processes, they can inject malware into firmware updates that appear legitimate. Attacks can be mounted physically (if they have access to the machine) or remotely, either over networks or over the air. Of course, when it comes to AV original equipment manufacturers (OEMs), there are typically multiple third parties involved in development. Therefore, it’s critical to remember that every third party involved is another potential vulnerability in the supply chain.
How Can You Close These Autonomous Vehicle Security Gaps?
There are many potential cybersecurity risks in autonomous vehicles, from numerous attack vectors to various security gaps. To prevent attacks, autonomous vehicle teams need to implement robust security throughout the development process, from initial design through ongoing risk mitigation.